CNBC Feature: 5 Steps to Take If You Suspect You Were Affected by the MGM Resort Data Breach
PCI Pal’s risk calculator survey results were featured in a CNBC article. Read the full article here.
The personal data of approximately 10.6 million consumers who stayed at MGM resorts appeared online in February 2020, ranging from home addresses and contact information to driver’s licenses and passport numbers in some cases.
The data, which was obtained during a July 2019 leak, was published on a hacking forum on Monday and verified by ZDNet and Under the Breach, a soon-to-launch data breach monitoring service. The file contained personal details including full names, birthdates, addresses, email addresses and phone numbers. For about 1,300 individuals, more sensitive data such as driver’s licenses, passports or military ID cards, was found online.
It’s not surprising that a hotel company was involved in a data breach, says Emily Wilson, vice president of research at the digital risk protection provider Terbium Labs. “The hospitality industry sits on a hotbed of valuable data that meets at a critical intersection of personal details, financial information and physical safety – travel data, companions and patterns of behavior.”
This is not the first time a hotel chain has been involved in a data breach. In 2018, Marriott hotels reported a data hack involving 300 million people who stayed at Starwood hotels.
Unfortunately, there may not be a lot individuals can do to completely protect themselves in response. “Breaches like the one impacting MGM are often difficult for consumers to respond to,” Daniel Smith, head of security research at Radware, tells CNBC Make It. There’s no “easy fix,” he says.
“In the MGM event, the only information you could change would be your phone number and email address,” he says, noting victims are unlikely to sell their house because their address was exposed.
Beyond monitoring your accounts, here’s a rundown of the steps you can take in response to this data breach.
To freeze or not to freeze your credit?
In many data breaches, experts recommend that consumers put a freeze on their credit reports to stop anyone from taking out a credit card or loan in their name.
Yet in the case of the MGM data breach, a credit freeze may not be a comprehensive solution, since the data set contained no financial information, NBC News confirmed.
“A credit freeze doesn’t do much for identity theft,” says cybersecurity expert Joseph Steinberg. “Everybody comes [to these breaches] with the assumption that there’s something to do, and the reality is, sometimes, there isn’t anything a consumer needs to do.”
The biggest threat is not that a criminal could open a credit card in your name and make fraudulent transactions; that could be fixed quickly since credit card companies know about the problem, Steinberg says. In fact, the Fair Credit Billing Act makes it so consumers are only liable for up to $50 in fraudulent charges. And major credit card companies, including American Express, Discover, Mastercard and Visa, offer “zero liability” policies, so you don’t have to pay for any fraud. That’s why many experts recommend that you use credit cards instead of debit cards.
“If someone got a driver’s license in your name, that’s a lot more of a serious problem for you,” Steinberg says, noting that identity theft can be difficult for victims to unwind.
That said, credit freezes are still a crucial piece of consumer safety for both financial data and personal information, Wilson says. It pays to have one in place since so many data breaches do involve financial data. “If consumers haven’t already frozen their credit in the wake of breaches like Equifax, this breach is a timely reminder that it’s the most powerful resource at their disposal,” she says.
If you want to freeze your credit reports and haven’t already done so, you need to contact the three major credit bureaus, Equifax, Experian and TransUnion, separately. Keep in mind that you will need to unfreeze your credit if you’re applying for any credit products in the future, like a personal loan, credit card or mortgage.
Beyond freezing your credit, here are five ways that you can protect yourself if your information was involved in the MGM data breach.
1. Change your passwords
The MGM data released this week was part of a previously reported leak. The company notified customers last August after it “discovered unauthorized access to a cloud server that contained a limited amount of information for certain previous guests of MGM Resort,” according to a statement to CNBC Make It. MGM did not disclose which locations were affected.
Since the breach, MGM tells CNBC Make It that the company has “strengthened and enhanced the security of our network to prevent this from happening again.”
Go back through your emails to check to see if you’ve been affected or contact MGM. Even if you’re not sure if your information was involved, it’s a good idea to change any passwords associated with your MGM Resort bookings, as well as any bank or credit card accounts used to make reservations. In fact, you should always be changing your passwords regularly.
Almost half of Americans, 47%, use the same passwords over and over again, according to PCI Pal. This can cause problems in a data breach: Only one account may be compromised, but if you’ve used that same password in several places, you’ll need to change all of them. Look into using a password manager such as LastPass or Dashlane. These programs will automatically generate unique, secure passwords for all your accounts and remember them for you.
2. If you don’t already have it, set up credit monitoring
Consumers should check their credit report on a regular basis. Unlike a simple credit score, your entire credit report provides a comprehensive look at your credit history and activity. You can get a free copy of your report once a year from each of the three major credit bureaus: Equifax, Experian and Transunion.
You can also set up a free monitoring service through sites like Credit Karma, which will send you alert emails about any recent activity on your TransUnion or Equifax credit reports.
In addition to setting up your own monitoring, you may also be eligible for free credit monitoring if you were affected by the massive Yahoo data breaches. The company has entered into $117.5 million settlement that offers this service to those affected.
Consumers should also use a service like haveibeenpwned.com to track if and when their data is leaked, says Jerry Gamblin, principal security engineer at Kenna Security. Roughly eight out of 10 emails released as part of the MGM data breach were already in the haveibeenpwned databases from other hacks.
3. Practice good cybersecurity habits
To protect your data year-round, experts recommend that consumers practice common safeguards, such as avoiding clicking on links or opening attachments in emails, especially when you don’t know the sender.
Emails are a particularly common way for fraudsters to gain access to your credit card information or identity. Hackers send what’s called a phishing email. “Email is the No. 1 way cybercrime of all forms happens. If a bad guy can get you to click on a link in an email, he can do all manner of bad things to your online life,” says Dave Baggett, co-founder and CEO of anti-phishing start-up Inky.
Consumers should use two-factor authentication to log into their accounts, which generally requires users to not only enter a password, but also confirm their identity by logging onto their phone or entering a code texted or emailed to them.
4. Keep a record of your response
Each one of those hacks could lead to class-action lawsuits and investigations by regulators, like in the case of Equifax. While not all data breaches will result in a settlement, it’s good to be prepared. Consumers should take breach notifications seriously and document what they do in response, Charity Lacey, VP of communications at ITRC, tells CNBC Make It.
The Identity Theft Center’s ID Theft Help app has a case log manager tool that can help you track any actions you take in response to a breach.
5. Stay alert
It can’t be stressed enough: The best response is to be vigilant, Steinberg says. There are some pieces of information that don’t typically change, such as Social Security numbers and your home address. Because of their static nature, they become more valuable over time, Steinberg says.
If you’re concerned with exposure, you may want to consider creating and using different email addresses for traveling purposes, Smith says. The same applies for the phone number you provide. “Isolating your primary information from unnecessary exposure is the key takeaway,” he says.
Pay particular attention to emails and monitor your accounts closely when you travel. “Victims of the MGM hack need to be prepared to be targeted by phishing emails using the breach or their stay as a lure,” Smith says.